OSQA is unmaintained. Help us figure out where to go from here.

Yesterday I was debugging one my program and found bug in wireshark or somewhere else.

Wireshark shows me two UDP packets on transmit with small time difference and with all matching bytes.
Even IP identifier is same in both packets.
When I send this packet to my router and make packet capture it shows that only one packet is send from my PC.

Wireshark is version 2.4.0

How can I find where it comes to this problem ?

asked 26 Aug, 07:58

marenr's gravatar image

marenr
11113
accept rate: 0%

You'll need to provide much more info on your capturing setup, i.e.

  1. Is this on-machine or via a tap or router?
  2. If on-machine, what is the host OS?
  3. What is the capture library, e.g. libpcap, WinPcap, npcap?
  4. What type of interface are you capturing\transmitting on?
  5. Is there a VM involved?

Can you share a capture in a publicly accessible spot, e.g. CloudShark, Google Drive, DropBox etc?

(26 Aug, 09:46) grahamb ♦

I make capture again.

Router capture: https://www.cloudshark.org/captures/d8a18c34c5de Computer capture: https://www.cloudshark.org/captures/765cda700089

This is Win 10 Pc and capture is made on Ethernet controller with VirtualBox and VmWare Workstation installed but not running at capture time. I also found that all outgoing packets from my PC are duplicated.

I googled how to find which library does Wireshark use but I did not find it. Can I get some instructions?

(28 Aug, 04:16) marenr

If you post the content of the Help-About dialog, that will show the capture library being used.

(28 Aug, 04:47) grahamb ♦

I also read this but I missed mention of libpcap.
Here is About:

Version 2.4.0 (v2.4.0-0-g9be0fa500d)

Copyright 1998-2017 Gerald Combs [email protected] and contributors. License GPLv2+: GNU GPL version 2 or later http://www.gnu.org/licenses/old-licenses/gpl-2.0.html This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.9.1, with WinPcap (4_1_3), with GLib 2.42.0, with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.12.0, with Lua 5.2.4, with GnuTLS 3.4.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia, with AirPcap, with SBC, with SpanDSP.

Running on 64-bit Windows 10, build 15063, with Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz (with SSE4.2), with 32683 MB of physical memory, with locale Slovenian_Slovenia.1250, with WinPcap version 4.1.3 (packet.dll version 0.78 r5), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.4.11, with Gcrypt 1.7.6, without AirPcap.

Built using Microsoft Visual C++ 14.0 build 24215

(28 Aug, 04:56) marenr

Running on 64-bit Windows 10, build 15063, with Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz (with SSE4.2), with 32683 MB of physical memory, with locale Slovenian_Slovenia.1250, with WinPcap version 4.1.3 (packet.dll version 0.78 r5)

It looks like you're not using the default WinPcap capture library, I suspect it's some older version of npcap.

Can you remove npcap, reboot and re-install Wireshark allowing it to install WinPcap?

permanent link

answered 28 Aug, 05:30

grahamb's gravatar image

grahamb ♦
19.6k330205
accept rate: 22%

After removing nmap and reinstalling Wireshark with WinPcap it works as it must.
Thank you.

(28 Aug, 06:00) marenr

@marenr

I've moved my comment to an answer as it seems to have resolved your issue.

Can you accept the answer by clicking the check mark icon on the answer so that others may see the correct answer for the issue?

(28 Aug, 10:28) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×548
×165
×3
×1

question asked: 26 Aug, 07:58

question was seen: 323 times

last updated: 28 Aug, 10:28

p​o​w​e​r​e​d by O​S​Q​A